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DETAILED ACTION 

1 . A request for continued examination under 37 CFR 1.114, including the 
fee set forth in 37 CFR 1 .17(e), was filed in this application after final rejection. 
Since this application is eligible for continued examination under 37 CFR 1.114, 
and the fee set forth in 37 CFR 1 .1 7(e) has been timely paid, the finality of the 
previous Office action has been withdrawn pursuant to 37 CFR 1.114. 
Applicant's submission filed on August 31, 2007 has been entered. 

2. Claims 1 , 3, 5-8 and 24-35 are pending. 

Claim Rejections - 35 USC § 112 

3. In view of the amendment filed August 31 , 2007, the Examiner withdraws 
the rejection of claim 32 under 35 U.S.C. 112. 

Claim Rejections - 35 USC § 101 

4. In view of the amendment filed August 31 , 2007, the Examiner withdraws 
the rejection of claim 32 under 35 U.S.C. 101 . 

Response to Arguments 

5. Applicant's arguments filed on August 31, 2007 have been considered but 
are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 1 02 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

7. Claims 1, 3, 5-8 and 24-35 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Flurry et al. U.S. Publication Number 2003/0061512 
(hereinafter Flurry) in view of Mishra et al. ("Security Services Markup Language", 
January 8, 2001 (hereinafter Mishra) 

[Note: "XML Key Management Specification (XKMS)", W3C Note 30, March 
2001 , pages 28-45, is used to further elaborate on the teaching of XML signature 
and HMAC taught by Mishra reference] 
As per claims 1 , 7, 26 and 32: 

Flurry teaches a method comprising intercepting at an agent a web 
service customer access to a first web service, the agent residing between the 
web service customer and the first web service and between the web service 
customer and a second web service; (page 7, paragraph 70; ASP Aggregator 
service 404) collecting at the agent one or more credentials of the web service 
customer; (page 7, paragraph 71; The ASP Aggregator generates an 
authentication challenge, i.e., logon page...) determining at the agent whether 
the web service customer is authenticated and authorized; (Page 7, paragraph 
72; ASP Aggregator service has authenticated the user) if the web service 
customer is authenticated and authorized, at the agent: granting the first request; 
initiating creation of a session and a session ticket; obtaining a session ticket ID 
for the session ticket; (page 7, paragraphs 73-75; after the ASP aggregator 
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service has authenticated the user... the ASP aggregator then generates an 
application authentication token that is appropriate for the user and the selected 
application. The client's request is modified to include the application 
authentication token... and directed to a specific URL) intercepting a second 
request to grant the web service customer access to the second web service, the 
second request comprising the assertion and a private key; (page 5, paragraph 
54- page 6, paragraph 60; ASP aggregator may use a variety of security 
technique... message authentication code (MAC), ...PKCS; page 9, paragraphs 
88-90; since the client has been previously authenticated ...the ASP aggregatore 
would immediately generate the application authentication token that is needed 
with respect to the second aggregated application. After the second aggregated 
application is received and verified, the user may interact with the second 
aggregated application) and if the private key matches the public key in the 
assertion, grant the second request without reauthenticating or reauthorizing the 
web service customer, (page 9, paragraphs 88-90; since the client has been 
previously authenticated ...the ASP aggregator would immediately generate the 
application authentication token that is needed with respect to the second 
aggregated application. After the second aggregated application is received and 
verified, the user may interact with the second aggregated application) Flurry 
does not explicitly disclose encrypting the session ticket ID and a public key into 
an assertion and matching a private key with the public key in the assertion. 
Mishra in analogues art, however, discloses encrypting the session ticket ID and 
a public key into an assertion and matching a private key with the public key in 
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the assertion, (page 11,4. Architecture; ...assertions must e signed using the 
framework described in the [XML-SIG] specification... supports both using secret- 
key (for example, HMAC) and public-key signing; page 31 MIME Binding) 
Therefore, it would have been obvious to one ordinary skill in the art at the time 
invention was made to modify the method disclosed by Flurry with Mishra in 
order to provide security services for assertions the may travel across the 
Internet and be scrutinized, and checked for validity far from the point of origin, 
(page 11; Mishra) 
As per claims 3, 8 and 27: 

The combination of Flurry and Mishra teaches all the subject matter as 
discussed above. In addition, Flurry further discloses a method wherein the 
assertion comprises a Security Assertions Markup Language (SAML) assertion, 
(page 3, paragraph 34) 
As per claims 5 and 28: 

The combination of Flurry and Mishra teaches all the subject matter as 
discussed above. In addition, Flurry further a method wherein the agent 
comprises an Extensible Markup Language (XML) agent, (page 3, paragraph 34) 
As per claims 6 and 29: 

The combination of Flurry and Mishra teaches all the subject matter as 
discussed above. In addition, Flurry further a method wherein the procssors are 
further operable to determine whether the web service customer is authenticated 
and authorized comprises comparing the web service customer with a database 
containing authentication and authorization data, (page 7, paragraph 72) 
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As per claims 24 and 30: 

The combination of Flurry and Mishra teaches all the subject matter as 
discussed above. In addition, Flurry further a method wherein the first request 
and the second request both originate at the web service customer; and 
the method further comprising communicating the assertion to the web service 
customer to enable the web service customer to access the second web service 
without reauthentication or reauthorization after the web service customer 
accesses the first web service, (page 7, paragraph 71; page 9, paragraphs 88- 
90) 

As per claims 25, 31 and 35: 

The combination of Mishra and Hallam-Baker teaches all the subject 
matter as discussed above. In addition, Flurry further discloses a method wherein 
the first request originates at the web service customer and the second request 
originates at the first web service; and the method further comprising 
communicating the assertion to the first web service to enable the web service 
customer to access the second web service without reauthentication or 
reauthorization after the web service customer accesses the first web service, 
(page 7, paragraph 71 ; page 9, paragraphs 88-90) 
As per claim 33: 

The combination of Mishra and Hallam-Baker teaches all the subject 
matter as discussed above. In addition, Mishra further discloses a method 
comprising at the agent, placing the assertion into a header; sending the 
assertion to the first web service; returning the assertion to the web service 
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consumer, (page 7, 3 S2ML Use Case Senarios; assertions can travel with the 
user in various ways...http headers) 
As per claim 34: 

The combination of Mishra and Hallam-Baker teaches all the subject 
matter as discussed above. In addition, Mishra further discloses a method 
wherein the second request comprises an XML document containing the 
assertion; and wherein the web service customer has signed the XML document 
with the private key. (page 11,4. Architecture) 

Conclusion 

8. Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Shewaye Gelagay whose telephone number 
is 571-272-4219. The examiner can normally be reached on 8:00 am to 5:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Emmanuel Moise can be reached on 571-272-3865. The 
fax phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). If you would like assistance from a USPTO Customer Service 
Representative or access to the automated information system, call 800-786- 
9199 (IN USA OR CANADA) or 571-272-1000. 

Shewaye Gelagay 



EMMAWJELLOtfOISE . 
SUPERVISORY PATENT EXAMINER 




